Source: www.bleepingcomputer.com – Author: Lawrence Abrams
Ransomware gangs continue to hammer local governments in attacks, taking down IT systems and disrupting cities’ online services.
Earlier this month, we saw that with the Royal Ransomware attack on Dallas, and this week the City of Augusta, Georgia, is also suffering a cyberattack.
While the Augusta mayor’s office has disclosed a statement stating that they suffered a cyberattack, they did not share any details on the breach.
“The City of Augusta, GA began experiencing technical difficulties this past Sunday, May 21, 2023, unrelated to last week’s outage, resulting in a disruption to certain computer systems,” reads the City’s statement.
“We began an investigation and determined that we were the victim of unauthorized access to our system.”
However, today, the BlackByte ransomware operation claimed responsibility for the attack on Augusta, leaking data that they claim was stolen during the attack.
Other attacks we learned more about this week include a BlackBasta attack on German arms manufacturer Rheinmetall and ABB confirming data was stolen during an attack earlier this month.
The Cuba ransomware gang also claimed the attack on The Philadelphia Inquirer. However, after the publisher stated the data did not belong to them, Cuba took the Inquirer’s entry from their data leak site.
We also saw some interesting reports released by security firms and researchers:
- The ALPHV/BlackCat ransomware gang is now using the malicious POORTRY Windows kernel driver.
- Iranian hackers have created a new Moneybird ransomware to attack Israeli orgs
- A new Buhti ransomware operation is using the leaked LockBit and Babuk encryptors.
Finally, ransomware affiliate Bassterlord released a “slightly” edited but highly sought-after version of his ransomware manual version 2.0 that was being sold for $10,000 on hacker forums.
While some researchers felt the manual lacked detail, threat actors can still use it to gain more knowledge and learn how to breach corporate networks.
While we are not sharing this manual, it is advised that all network defenders and security professionals read the translated versions floating around on Twitter, or some of the linked analyses below, to learn what tactics were being taught.
Contributors and those who provided new ransomware information and stories this week include: @demonslay335, @malwrhunterteam, @BleepinComputer, @serghei, @billtoulas, @fwosar, @Ionut_Ilascu, @struppigel, @LawrenceAbrams, @Seifreed, @security_score, @Unit42_Intel, @_CPResearch_, @pcrisk, @BroadcomSW, @uuallan, @Jon__DiMaggio, @AShukuhi, @BushidoToken, @BrettCallow, and @UK_Daniel_Card.
May 22nd 2023
The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks.
PCrisk found new STOP Ransomware variants that append the .gapo, .gatq, and .gaze extensions.
PCrisk found a new MedusaLocker variant that appends the .itlock20 extension (the number may differ) and drops a ransom note named How_to_back_files.html.
May 23rd 2023
Medusa ransomware appeared in June 2021, and it became more active this year by launching the “Medusa Blog” containing data leaked from victims that didn’t pay the ransom. The malware stops a list of services and processes decrypted at runtime and deletes the Volume Shadow
A 28-year-old United Kingdom man from Fleetwood, Hertfordshire, has been convicted of unauthorized computer access with criminal intent and blackmailing his employer.
German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business.
The Cuba ransomware gang has claimed responsibility for this month’s cyberattack on The Philadelphia Inquirer, which temporarily disrupted the newspaper’s distribution and disrupted some business operations.
May 24th 2023
A suspected Iranian state-supported threat actor known as ‘Agrius’ is now deploying a new ransomware strain named ‘Moneybird’ against Israeli organizations.
May 25th 2023
A new ransomware operation named ‘Buhti’ uses the leaked code of the LockBit and Babuk ransomware families to target Windows and Linux systems, respectively.
PCrisk found new STOP Ransomware variants that append the .vapo, .vatq, and .vaze extensions.
PCrisk found a new ransomware that appends the .FAST extension and drops a ransom note named #FILEENCRYPTED.txt.
Basterlord released the much sought after 2nd version of his manual on Twitter.
May 26th 2023
The city of Augusta in Georgia, U.S., has confirmed that the most recent IT system outage was caused by unauthorized access to its network.
Swiss tech multinational and U.S. government contractor ABB has confirmed that some of its systems were impacted by a ransomware attack, previously described by the company as “an IT security incident.”
PCrisk found a new ransomware variant that appends the .EXISC extension and drops a ransom note named Please Contact Us To Restore.txt.
Yesterday Basterlord (an infamous ransomware operator) published a copy of “Networking Manual v2.0” (which I’ll refer to as “the manual”). So I of course thought we should analyze this and look to see what he was selling for $10 thousand dollars!
Join the author of Ransomware Diaries: Volume 2- A Ransomware Hacker Origin Story, Jon DiMaggio, for a dive into the ramifications Bassterlord has faced since his story came out.
That’s it for this week! Hope everyone has a nice weekend!
Original Post URL: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-may-26th-2023-cities-under-attack/
Category & Tags: Security – Security